Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Nagios Log Server < 1.4.2 Multiple Vulnerabilities

Critical

Synopsis

The remote host is running a version of Nagios Log Server that is affected by multiple attack vectors.

Description

Versions of Nagios Log Server prior to 1.4.2 are vulnerable to the following issues :

- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the '/nagioslogserver/dashboard' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 143232) - A flaw exists in the 'api/check/create/1' script that is due to the server failing to properly enforce access controls related to the 'alert' parameter. This may allow a remote attacker to execute arbitrary code. (OSVDB 143233) - A flaw exists that is due to the program setting insecure permissions for 'get_logstash_ports.sha'. This may allow a local attacker to gain elevated privileges. (OSVDB 143234)

Solution

Upgrade Log Server to version 1.4.2 or later.